[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS connection on port 389



On Monday 28 January 2008 16:57:28 Chris Carr wrote:
> Hi All,
>
> I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS
> connections on port 636. This has worked with most clients (Outlook,
> Seamonkey, Thunderbird) but does not work for Evolution. I don't know
> why not, but Evolution seems to insist on using port 389 for secure
> connections.

Which version of Evolution? Mine has a "Use secure connection" drop-down box, 
with "SSL encryption", "TLS encryption" and "No encryption" options. Since 
the port doesn't change based on your selection, I'll assume what they 
actually mean is "ldaps", "STARTTLS", and "No encryption". Naturally, 
STARTTLS would run on the normal unencrypted port (389 by default), 
and "upgrade" to SSL/TLS with a STARTTLS command.

It seems that no matter what you select here, if the port is 389, it does 
STARTTLS:

Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 ACCEPT from 
IP=127.0.0.1:53243 (IP=0.0.0.0:389)
Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 STARTTLS
Jan 29 17:59:16 seaknight slapd[840]: conn=0 op=0 RESULT oid= err=0 text=
Jan 29 17:59:16 seaknight slapd[840]: conn=0 fd=15 TLS established tls_ssf=256 
ssf=256

However, if you select 636 as the port, it greys out the "Use secure 
connection" drop-down box, and does ldaps.

Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 ACCEPT from 
IP=127.0.0.1:54153 (IP=0.0.0.0:636)
Jan 29 18:03:51 seaknight slapd[840]: conn=14 fd=27 closed (TLS negotiation 
failure)
Jan 29 18:03:58 seaknight slapd[840]: conn=15 fd=27 ACCEPT from 
IP=127.0.0.1:45074 (IP=0.0.0.0:389)

(Can't get it to work right right now with ldaps ...).

Note however that evo caches LDAP connections, it seems you need to restart it 
for your config changes to take effect.

And, it will only prompt you for the password once the connection is up ...

> When I type
>
> openssl s_client -connect my.server.com:389
>
> It says connection refused. When I type the same command with :636 at
> the end it connects fine.
>
> Could somebody explain to me how to tell slapd to accept secure
> connections on port 389? I am using the new version of slapd in Debian
> Testing (2.4.7-1).

start slapd with with no -h flag, or -h "ldaps:/// ldap:///"; so it listens on 
port 636 for ldaps connections, and 389 for ldap connections (which could use 
START_TLS to upgrade).

> Sorry if this is a really stupid question, but according to the docs the
> "startTLS" process should be automatic if a secure connection comes in
> on port 389. Something is obviously not quite right.

Hmm, SSL/TLS isn't really automatic ...

Regards,
Buchan